Your Business Was DORA Compliant Yesterday. What About Today?

Configuration Drift: The Silent Threat to DORA Compliance

It has been a couple of years since compliance officers in banks, insurance companies, and investment firms began hardening their organisations’ operational resilience to a new set of regulations.

So, for many, when the Digital Operational Resilience Act (DORA) came into effect in January, it was old news.

But having achieved readiness before the new year, how sure can you be that your estate has not been compromised by configuration drift?

What happens when a browser update changes security settings, when a Windows patch alters registry configurations, or when well-meaning IT staff make ad-hoc adjustments to resolve urgent operational issues?

The DORA Compliance Imperative for UK Financial Services

UK financial institutions cannot afford complacency regarding DORA compliance. If your company is based in the UK and operates in the EU, you're clearly in its scope. And if your IT services are provided by a company in the EU, that entity is also in its scope.

The implications extend beyond simple regulatory compliance. DORA won't apply directly to the UK financial services sector, due to Brexit, although many financial firms operate in Europe so will have to comply with the Act. However, the rules are also part of a global regulatory push towards operational resilience, meaning UK-only institutions must prepare for similar domestic requirements.

The Five Pillars of DORA Compliance

Understanding DORA's scope reveals why configuration management is critical:

1. ICT Risk Management - Requires robust frameworks to identify, assess, and manage information and communications technology risks
2. Incident Management, Classification & Reporting - Mandatory rapid incident response and stringent system testing
3. Digital Operational Resilience Testing - Including threat-led PEN testing requirements
4. ICT Third Party Risk Management - Ensuring suppliers meet DORA standards
5. Information Sharing - Collaborative threat intelligence sharing

Each pillar depends fundamentally on maintaining consistent, compliant configurations across your entire IT estate. Together, they have created a level playing field of cyber protection requirements for all financial institutions operating in the EU or with suppliers in the EU.

The 12-Phase DORA Implementation Process

DORA implementation for financial organisations can be broken down into 12 phases:

Strategic Foundation (Phases 1-3):

1. Gap analysis and governance establishment - Assessing current state and defining senior management responsibilities
2. Project planning and team training - Resource allocation, milestone definition, and DORA expertise development
3. ICT risk management framework design - Policies, procedures, and governance structure documentation

Core Technical Implementation (Phases 4-7)

4. Asset identification and risk assessment - Cataloguing ICT assets, dependencies, and threat landscape analysis
5. Digital resilience strategy development - Comprehensive strategy documenting risk tolerance and security objectives
6. Cybersecurity controls deployment - Network management, access control, authentication, and change management implementation
7. Business continuity and resilience measures - Backup systems, recovery procedures, and crisis management capabilities

Operational Excellence (Phases 8-12):

8. Third-party risk management programme - Vendor assessment, contractual obligations, and supply chain security
9. Incident management and reporting systems - Detection, classification, notification, and response procedures
10. Testing and monitoring frameworks - Vulnerability assessments, penetration testing, and performance measurement
11.  Internal audit and review processes - Independent verification, management reviews, and compliance validation
12. Continuous improvement and corrective action - Follow-up procedures, lessons learned integration, and framework evolution

Following these 12 phrases will deliver a security-hardened IT estate ready for DORA compliance approval. But this approach recognises that any financial organisation must continuously improve to stay ahead of developing threats and that is DORA’s great challenge: compliance is not a destination but an ongoing operational requirement demanding persistent configuration management.

Where Traditional Implementation Approaches Fall Short

This phased implementation approach, whilst comprehensive, often overlooks the reality of configuration drift.

Organisations that have successfully implemented DORA compliance now face a critical challenge: maintaining compliance over time through effective configuration management.

Consider these critical gaps:

❌ Phase 6 Reality Check: Cybersecurity Controls Deployment

DORA requires various cybersecurity measures including network management, access control, authentication, change management, and patch management. However, deploying these controls once does not ensure they remain effective:

• Change Management Challenges: Every software update, security patch, and system modification can alter configured security settings
• Authentication Drift: Multi-factor authentication settings, session timeouts, and access controls can be reset by application updates
• Network Configuration Changes: Firewall rules, VPN settings, and network security policies drift over time

❌ Phase 7 Limitations: Business Continuity Degradation

Business continuity policies, response and recovery plans, and backup procedures require ongoing validation, yet traditional approaches struggle with:

• Backup Configuration Verification: Ensuring backup systems maintain proper encryption, scheduling, and retention settings
• Recovery Plan Currency: Keeping disaster recovery procedures aligned with evolving infrastructure configurations
• Crisis Communication Systems: Maintaining communication channel security and availability

❌ Phase 10 Monitoring Inadequacy

Testing and monitoring frameworks require comprehensive performance measurement and vulnerability assessment. However, without continuous configuration monitoring:

• Performance Reporting Gaps: Configuration drift can compromise monitoring system effectiveness
• Testing Result Validity: Security assessments may not reflect actual operational configurations
• Management Visibility Loss: Dashboards and reporting systems may provide inaccurate compliance status

The Configuration Drift Challenge

Configuration drift represents the silent underminer of DORA compliance efforts. Whilst organisations invest heavily in the initial 12-phase implementation, ongoing compliance deteriorates through:

❌ Technological Evolution Impact

• Browser Updates: Modern financial services rely heavily on web browsers, yet each update can reset security configurations
• Operating System Changes: Windows updates frequently modify registry settings, security policies, and service configurations
• Application Modernisation: Cloud migration and application updates alter authentication, encryption, and access control settings

❌ Operational Pressures

• Emergency Changes: Urgent operational requirements often bypass change management procedures
• Staff Turnover: New team members may not understand the importance of specific configuration settings
• Vendor Updates: Third-party software updates can override carefully configured security parameters

Beyond Point-in-Time Implementation: Continuous Compliance Architecture

The manual approach to security hardening is to treat compliance as a project with a defined deadline. DORA puts an end to that approach in the financial services industries.

Manual configuration management cannot sustain DORA compliance requirements due to fundamental limitations in scale, timing, and documentation across entire enterprise estates with hundreds of settings per endpoint. DORA’s reporting timelines demand real-time configuration monitoring and immediate remediation capabilities that manual processes simply cannot deliver.

Added to that burden are the regular internal audits that require comprehensive configuration documentation and evidence of continuous compliance that exceed the capacity of manual tracking systems to provide accurately and consistently.

The Automation Advantage in DORA Implementation

To solve these numerous problems, we recommend an automated solution that transforms the traditional implementation approach by embedding continuous compliance into each implementation phase:

✔️ Enhanced Phases 4-6: Automated Asset and Risk Management

• Real-time asset configuration monitoring aligned to DORA guidelines
• Automated risk assessment updates as configurations change
• Immediate cybersecurity control enforcement and remediation

✔️ Strengthened Phases 9-10: Continuous Incident Management and Monitoring

• Automated incident detection through configuration monitoring
• Real-time performance reporting with configuration context
• Testing frameworks that reflect actual operational configurations

✔️ Improved Phases 11-12: Audit and Continuous Improvement Automation

• Comprehensive audit trails of all configuration changes
• Automated corrective measures for configuration drift
• Continuous improvement through intelligent remediation learning

The Manual Compliance Trap: Why the 12-Phase Process Isn't Enough

You may have a false sense of security if you followed a comprehensive, phased DORA implementation programme that was completed in January 2025. Because DORA implementation is never complete. Once you have addressed the initial compliance requirements, you need to solve the fundamental challenge of maintaining compliance over time.

Most organisations successfully complete the initial implementation phases:

✓ Gap analysis completed - Initial assessment identifies non-compliance areas
✓ Senior management support obtained - Budget and resources allocated for project
✓ ICT risk management framework documented - Policies, procedures, and protocols written
✓ Cybersecurity controls deployed - Technical measures implemented across infrastructure
✓ Business continuity procedures established - Response and recovery plans documented

However, the ongoing operational requirements expose critical weaknesses:

✗ Configuration drift undetected - Security settings gradually deviate from baselines
✗ Manual monitoring overwhelmed - Hundreds of settings across thousands of endpoints
✗ Incident response compromised - Changed configurations affect detection capabilities
✗ Audit trail inadequate - Manual documentation cannot capture all changes

The Superior DORA Implementation Strategy: From Manual to Automated Compliance

As cyber threats evolve and regulatory expectations intensify, reactive compliance approaches become increasingly inadequate. But there is an automated solution for DORA compliance which addresses deficiencies and prevents disruptions with robust risk management and response plans for cyber threats.

The modern compliance landscape demands solutions that provide continuous visibility, automated remediation, and comprehensive audit capabilities. APPtechnology's Endpoint Security Hardening solution represents this evolution, transforming compliance from periodic projects into one continuous, reliable, automated system.

Unlike the 12-phase DORA implementation, a typical implementation of APPtechnology Endpoint Security Hardening for DORA compliance looks something like this:

1. Baseline Assessment

Current State Analysis:

• Comprehensive configuration drift assessment across your estate
• Identification of non-compliant endpoints and critical gaps
• Documentation of existing manual processes and resource allocation
• Risk assessment of current compliance vulnerabilities

Gap Identification:

• Mapping of DORA requirements against current configurations
• Identification of manual processes requiring automation
• Assessment of audit trail adequacy
• Evaluation of incident response capability readiness

2. Pilot Implementation

Controlled Deployment:

• Implementation on representative sample of endpoints
• Testing of automated remediation capabilities
• Validation of business process compatibility
• Fine-tuning of policy configurations

Process Integration:

• Integration with existing change management procedures
• Alignment with incident response workflows
• Training for IT and compliance teams
• Development of escalation procedures

3. Full-Scale Rollout

Enterprise Deployment:

• Systematic rollout across entire endpoint estate
• Continuous monitoring implementation
• Automated reporting configuration
• Comprehensive audit trail activation

Optimisation and Enhancement:

• Performance monitoring and adjustment
• Policy refinement based on operational experience
• Integration with broader security ecosystem
• Preparation for regulatory audit requirements

DORA Compliance Yesterday, Today and Every Day

Your organisation achieved DORA compliance yesterday through significant effort and investment. The question facing every compliance officer today is straightforward: how will you maintain that compliance tomorrow, next week, and throughout the coming year?

Manual processes cannot provide the continuous compliance DORA demands. Configuration drift is inevitable. The only question is whether your organisation will detect and remediate it proactively or discover it during an audit or, worse, during a security incident.

APPtechnology's Endpoint Security Hardening solution eliminates this uncertainty. Our always-on compliance maintenance system ensures your organisation remains DORA-compliant not just today, but every day.